Leading Bug Bounty Program Threatens Lazy Vendors with Public Disclosures

Software developers and security researchers still don't see eye to eye on bug disclosures. There are times when the constant emphasis on the researcher's duty to make responsible disclosures appears to overshadow the vendor's duty to patch vulnerabilities in a timely manner. TippingPoint's Zero Day Initiative (ZDI), the world's leading bug bounty program, is trying to ensure that this fact is not lost on vendors.

ZDI has announced changes to its bug disclosure policy. Under the new policy, ZDI will go public with “limited details” of the bug in case the flaw still remains unfixed after six months of the vendor being notified. It previously only detailed those bugs that had been patched by the vendor.

“As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same,” Aaron Portnoy, manager of security research at HP TippingPoint, wrote in a blog post Wednesday.

“In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10. This means that the first vulnerability report, if needed, will be disclosed on 02/04/11. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user.”